The 20 Critical Security Controls

Category

Information Security

March 15, 2013By Dell SecureWorks

The 20 Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for IT security. The project was initiated in 2008 in response to data losses experienced by organizations in the U.S. defense industrial base.

The Consensus Audit Guidelines consist of 20 key actions, called security controls, that organizations should take to block or mitigate known cyber attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cyber security, written in language that's easily understood.

Ensure that security investments are focused to counter the highest risk threats,

Maximize use of automation to enforce security controls, thereby negating human errors, and

Use consensus process to collect best ideas.

The 20 Critical Controls are being prioritized for implementation by organizations that understand the evolving risk of cyber attack. Leading adopters include the U.S. National Security Agency, the British Centre for the Protection of National Infrastructure, and the U.S. Department of Homeland Security Federal Network Security Program. Ten state governments as well as power generation and distribution companies and defense contractors are among the hundreds of organizations that have shifted from a compliance focus to a security focus by adopting the Critical Controls.

All of these entities have adopted the Critical Controls in answer to the question: "What needs to be done right now to protect my organization from known attacks?" Adopting and operationalizing the Critical Controls allows organizations to easily document those security processes to demonstrate compliance.

Notable results

Starting in 2009, the U.S. Department of State began supplementing its risk scoring program in part using the Critical Controls. According to the Department's measurements, in the first year of site scoring using this approach the Department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and 89 percent in domestic sites.

The Critical Controls are regularly updated by The Consortium for Cybersecurity Action (CCA), a virtual community of more than 100 agencies, companies, and individuals. More info on the CCA and the Controls, including the complete list, can be found at www.SANS.org.

This lists 10 of the 20 Critical Controls that can be addressed with Dell SecureWorks services: